Weeks after the panic — by when thousands had lost money — it emerged that hackers had penetrated the network to which some banks had outsourced ATM ops.Sugata Ghosh | ET Bureau | February 23, 2017, 08:27 IST

MUMBAI: From late May to end July of 2016, India was struck by what till now is the worst cyber breach to compromise the country’s payments network. Bank customers, including several foreign travellers, using as many as 3.2 million debit cards feared that their accounts had been hacked. Weeks after the panic — by when thousands had lost money — it surfaced that hackers had penetrated the network of Hitachi to which some banks had outsourced their ATM transaction processing. RBI sent out a flurry of dos and don’ts to banks, held meetings with payments companies such as VISA, MasterCard and National Payments Corporation of India; and Hitachi hired a Bengaluru-based payments security firm to carry out a forensic audit.

The audit report, which was submitted to the regulator last week, brings out an uncomfortable truth that most Indian banks and corporates will now have to deal with: anti-virus and anti-malware devices they have installed are no match for targeted cyber attacks. What this means is that if the code of a malware, floated by the hacker, is written in a clever way, it can overcome most anti-malware walls.

The forensic team, stunned by the level of sophistication and ingenuity of hackers who targeted Hitachi, has found that the malware (which is nothing but a software) was so ingenuously written that it could spread within the Hitachi system at an alarming rate. This was despite Hitachi using some of the best security devices.

ET learns that the hackers created a ‘dummy code book’ within the Hitachi system — capturing all possible four-digit numbers from 0000 to 9999 — to steal the PINs (personal identification numbers) of customers as and when they used their cards to withdraw money from ATMs of a private bank in India.

“What has happened is something of a very sophisticated nature and we have not seen this in our other investigations. I will not able to provide further specifics of Hitachi breach as SISA respects client confidentiality in forensic investigations… We have received a direction from National Security Coordinator, Government of India, to share this report only with Hitachi…” Dharshan Shanthamurthy, founder-CEO of SISA, the company which was hired by Hitachi for the forensic audit, told ET. SISA has shared some learnings with government agencies. After repeated requests from NPCI, Hitachi is learnt to have shared the report with the national payments company.

THE KILL-CHAINThere are four stages in the ‘kill-chain' of a cyber breach: (1) how the malware gets in; (2) how it escalates within the system; (3) how data is taken out; (4) how effectively the hacker cleans the system it penetrates. Besides the scale and extent of the compromise, what distinguishes the Hitachi breach compared with past attacks is the pace at which the malware travelled within the Hitachi network once it was inside. “The code was written in a way that it made sure the malware worked on the Hitachi system... it was virtually sitting on the administrator’s laptop,” said another person familiar with the investigation.

According to KK Mookhey, founder of Network Intelligence, which investigated the matter on behalf of one of the banks, the Hitachi breach, with its advanced and targeted nature, was a “watershed moment in the Indian cybersecurity space”. “Incident response is an area in which most Indian organisations have very nascent capabilities. This breach brought those gaps to light. It also served notice that attackers see Indian financial institutions as lucrative targets,” he said.

While banks have focussed on protecting against malicious code (or malware), attackers are using spear-phishing to get valid usernames and passwords, and then use built-in capabilities of the operating systems like Windows to complete the hack. “Trying to catch malware is a strategy doomed to failure. Banks have a lot of focus on guarding the perimeter (city walls). However, once somebody sneaks through, they cannot detect the ‘privilege escalation’ and ‘lateral movement’ phase of the attack (behind the city walls). I feel the Hitachi attack was highly targeted, with a specific goal in mind and also succeeded without any prior detection,” said Sahir Hidayatullah, CEO of Smokescreen, which specialises in deception tactics to battle cyber crime.

BEYOND ATMSBesides the sinister power of smartly coded malware, other lessons from the Hitachi breach are:

** It’s a mistake to believe that such an attack is isolated to ATM processor environment and will not impact other verticals and establishments in the payments industry.

“This attack vector can happen to any payment environment — banks, wallet companies, UPI (Unified Payments Interface), IMPS (Immediate Payment Service), retailers (ecommerce/brick-and-mortar), national switches and processors. These attacks are not restricted to cardholder environment and can apply to any payment form factor,” said SISA’s Shanthamurthy.

** For businesses, the focus has to shift to ‘detection’ rather than ‘prevention’ as preventing the attacker getting an initial foothold is almost impossible. A malware has to be detected before the attacker succeeds at ‘lateral movement’ and ‘privilege escalation’, said Hidayatullah.

** If an attack has been successful in one environment, it will most likely be used again and it is not necessary that it will happen in the same industry vertical.

“The bad guys have a better information-sharing mechanism than what we have. They in all probability will go behind the next most vulnerable organisation where they can compromise larger payment data,” said Shanthamurthy.